Since pfSense is not actually rerouting router traffic itself (such as DNS, VPN, …) but only incoming traffic when a gateway goes down and another one is configured in the same gateway group, I have written the following script that you can use in a cron job. It will change the IPv4 default route for basically all traffic not specifically treated via FW rules – including the internal services.

MOBILE1 needs to be set to your second gateway, in my case a mobile LTE device

MOBILE2 and MOBILE3 need to be set to rarely used IPs – so the LTE traffic going there is not too much as

MOBILE2 and MOBILE3 need to be statically routed via LTE, always, to check their reachability

WAN1 needs to be set to your main gateway, in my case a FritzBox

WAN2 and WAN3 need to be set to pages you usually want to reach, but it is not so bad to be unreachable in case of a downtime of the WAN gateway as

WAN2 and WAN3 need to be statically routed via WAN, always, to check their reachability

The script will log changes and send mails to the email address configured in pfSense.

Then run the following script – modify it to your needs – which will print out the commands for the pfSense shell. Since my DHCPD configuration is relying upon existing DNS entries and I am having hostnames as “fixed-address” entries, I need to resolve these entries with a dig command. If your file is always using IP addresses, just parse them out:

This will generate the following output, ready to paste into the pfSense shell:

PHP

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

global$config;

parse_config(true);

$config['unbound']['hosts']['0']['host']="name";

$config['unbound']['hosts']['0']['domain']="domain.com";

$config['unbound']['hosts']['0']['ip']="192.168.1.1";

$config['unbound']['hosts']['0']['descr']="Automatically migrated";

$config['unbound']['hosts']['1']['host']="name2";

$config['unbound']['hosts']['1']['domain']="domain2.com";

$config['unbound']['hosts']['1']['ip']="192.168.2.1";

$config['unbound']['hosts']['1']['descr']="Automatically migrated";

$config['unbound']['hosts']['2']['host']="name3";

$config['unbound']['hosts']['2']['domain']="domain2.de";

$config['unbound']['hosts']['2']['ip']="192.168.2.2";

$config['unbound']['hosts']['2']['descr']="Automatically migrated";

write_config();

exec

Please keep in mind the index starts at 0, valid for an empty list of host names in your pfSense Unbound/DNS configuration. For each already existing entry you have to add 1 to the starting index of 0.

For systems that do not provide Sixxs’ aiccu package to setup a GIF tunnel automatically, you can easily start the tunnel (not setup the routing 🙂 ) by executing the following script once per minute via cron:

I configured OpenVPN to send an email on connect and disconnect of a client. The script wants to use the mail command – which is not installed as default by Xenial. This leads to a client-connect-script error which in turn leads OpenVPN to respond with an AUTH_FAILED. Which in turn gives the “Wrong username/password” error message on the clients.

If you have correctly setup your authorized_keys and are sure it should allow you logins with keys – then maybe SELinux is giving you a hard time. Especially if your user is not under the normal home directory folder /home. In your /var/log/{auth,secure} files you will see that sshd is not allowed to open authorized_keys and/or authorized_keys2 after you set the “LogLevel DEBUG” in /etc/ssh/sshd_config.